Privacy and cookie policy

This privacy notice tells you what to expect when the Wales Audit Office collects personal information and explains how we protect your privacy.

It applies to information we collect in connection with:

  • our statutory audit work
  • job applicants
  • current and former employees
  • correspondence and communications including subject access requests or freedom of information enquiries
  • our events
  • visitors to our website
  • the use of cookies by the Wales Audit Office
  • suppliers of goods or services
  • subscribers to our newsletter

Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing how your data is used, our information governance policies and procedures, privacy notices and your rights as an individual under data protection law. If you have any queries or concerns about our use of your personal information or this notice, please contact our Data Protection Officer, Martin Peters at infoofficer@audit.wales.

Data Protection Law

We process your personal data under data protection law applicable in the UK which includes the Data Protection Act 2018 and the General Data Protection Regulation 2016 (GDPR). Information about data protection law is available on the ICO website [opens in new window].

We may only process personal data if we have a legal basis for that processing. The key legal bases for the work of the Auditor General or Wales Audit Office are processing that is necessary for:

  • Performance of a contract with the data subject, for example, our contracts of employment or contracts under which we receive or provide goods or services.
  • Compliance with a legal obligation, where we have a duty to do something under statute (where  statute says we must or should do something).
  • Performance of a task in the public interest or in the exercise of official authority, where we have a power to do something (where statute says we may do something).

Other legal bases, which may also apply, include:

  • Consent, which must be freely given, specific, informed, clear and in the form of a statement or clear affirmative act on the part of the individual.
  • Necessary to protect vital interest---processing personal data to protect someone’s life, e.g. where someone needs medical help.

Our statutory work

When we undertake audit work under our statutory powers and duties we may collect information from public bodies that contains some personal data.

Personal data that we collect from public bodies or directly from individuals (but not through the use of cookies) may be used in audit tests to help us form audit opinions and to provide reports on accounts, value for money reports, improvement assessments, and sustainable development examination and inspection reports.  We will only use this information for the purpose for which it was collected. We will hold it securely in accordance with our Information Security Policy, and when it is no longer needed it will be disposed of in accordance with our the retention schedule within our Documents and Records Management Policy.

Please note that a separate privacy notice is available for our National Fraud Initiative (NFI) work and is available within the NFI section of our website here.

Job applicants

The information you provide as part of the application process will be treated in confidence and will be shared only with Human Resources and members of the selection panel for the purposes of the recruitment process. Where we want to disclose information about you to third parties, for example where a third party specialist is involved in the selection process or we want to take up a reference, we will not do so without informing you beforehand unless the disclosure is required by law.

We hold personal information about unsuccessful candidates for a maximum period of 2 years after the recruitment process has been completed, and it will then be destroyed or deleted. This information is used solely for monitoring purposes to form statistical reports on our recruitment activities.

A full job applicant privacy notice is provided to applicants as part of the job application process.

Current and former employees

Employees should refer to the employee privacy notice in the staff handbook. Following the end of your employment with the Wales Audit Office, we will retain your information in accordance with the requirements of our retention schedule and then delete it. We give employees who are leaving their employment with the WAO a full leavers privacy notice.

People who make a complaint or correspond with us

When we receive a complaint, correspondence or concerns about the Wales Audit Office, a public body we audit, subject access request or freedom of information request we hold the correspondence in a file.

We will only use the personal information we collect to process the complaint, correspondence or request. We may have to disclose your details when we are investigating any matters that you raise, and if you tell us that you do not want us to disclose or share your personal information we will try to respect this. However, it may not be possible to investigate your request on an anonymous basis.

Where we share information, we will share the minimum necessary, and this may be with:

  • Auditors, inspectorates and other public or professional bodies
  • Professional advisors and consultants
  • Regulators, ombudsmen and commissioners
  • Healthcare professional, social and welfare organisations
  • Police, prosecuting authorities and courts

We will keep information provided to us in complaints, correspondence, subject access or freedom of information requests in line with our retention policy.

Our events

When you sign up to an event that we have organised we collect specific information about you as a delegate, facilitator or contributor. Events can include conferences, engagement, or other meetings and events. To find out more, please read our events fair processing notice [opens in new window].

We organise and facilitate events solely as well as in collaboration with other public bodies. Read our events terms of reference [opens in new window] to find out more about our events.

Visitors to our website

We may need to communicate with visitors to our website for administrative or operational reasons. Where we collect specific information from you for this purpose, we will not pass it on to any other organisation.

We also collect standard internet log information and details of visitor behaviour patterns when someone visits our website. We do this to find out things such as the number of visitors to the various parts of our site, to monitor the download of our reports and publications and to help improve the service we provide.

This data collection process is carried out electronically in the background, and visitors to our website may not be aware that it is taking place. We believe that this process is not intrusive to visitors’ privacy, as we do not attempt to find out the identities of visitors to our website. The standard internet log information collected will only be used for the purposes mentioned and will not be passed on to any other organisation.

Use of Cookies

We use cookies to collect internet information from visitors to our website.  A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small file sent from a website and stored in a user's web browser when a user accesses certain websites.  We use cookies to help make our website function effectively and efficiently, and to give us information about your use of the site, along with that of other visitors.  Our recruitment webpages also use cookies to allow visitors to securely apply for vacancies.

The Wales Audit Office website uses Google Analytics, which is a web analysis tool to collect the standard visitor log information we need to help us maintain and improve your visit experience. Google Analytics uses first-party cookies for this purpose. Information about Google Analytics and privacy at Google is available at on the Google Website [opens in new window].  To opt out of being tracked by Google Analytics across all websites visit the Google opt out page [opens in new window].

The Vimeo and Twitter software programmes in use on our site also use cookies, and the relevant cookie policies are as follows:

Other websites

Our website may contain links to other websites which are outside our control and are not covered by this notice. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy notice, which may differ from ours.

Social media features and widgets

Our website includes links to social media such as Facebook, Twitter and LinkedIn and these features may collect information such as your IP address, which web page you are looking at on our website and may set a cookie to enable a feature to function properly. Social media features may be hosted by a third party or directly on our website. Your interactions with these features are governed by the privacy policy of the company providing them.

Suppliers

We hold information about our suppliers in our financial management systems for the purpose of managing our relationship with them, such as placing orders and arranging for payment to be made.  The information may also be used for internal reporting purposes. 

Subscribers to our newsletter

We will not disclose to any third party email addresses or personal information provided by users when requesting news via email. Our newsletters are sent out to individuals who have expressly requested this service. You may unsubscribe from this service at any time.

Access to personal information

You have a right to access the personal data that we hold about you by making a ‘subject access request’.  You will need to make such a request in writing to the Information Officer, enclosing proof of your identify (such as staff ID card, or copy of driving licence or passport) and a clear description of the information you wish to see.

Please send requests by email to: infoofficer@audit.wales  or write to us:

Information Officer
Wales Audit Office
24 Cathedral Road
Cardiff
CF11 9LJ

The Information Commissioner’s Office

If you require further information in relation to your rights under data protection law or want to complain about with how we are handling your personal data you may contact the Information Commissioner at:

Information Commissioner’s Office               
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

email: casework@ico.gsi.gov.uk

Tel: 01625 545745
Fax: 01625 524510

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was updated in July 2018  and will be reviewed annually.